Heartbleed Takes Aim at VPNs, Other Risks Persist

NEWS ANALYSIS: Many leading Websites are now secure, but risks remain and companies should update and secure all their Web-facing technologies, including VPNs.

The Heartbleed security flaw remains a risk to enterprises, two weeks after first being publicly disclosed.
The Heartbleed bug is technically a security vulnerability in the open-source OpenSSL cryptographic library, which is widely used on Web servers and embedded devices. The OpenSSL project provided a patch for the Heartbleed flaw on April 7, and organizations around the world have scrambled since then to implement the patch.
According to an analysis by security firm Sucuri, as of April 17, 2 percent, or 20,320 of the top 1 million sites ranked by Amazon's Alexa service were still vulnerable to the Heartbleed vulnerability.
While Web servers remain a key target for the Heartbleed vulnerability, they aren't the only Internet technology that is at risk. Virtual private network (VPN) technology today is often deployed in the form of SSL-VPN, which has now been identified as also being under attack from Heartbleed.Security research group Mandiant, which became part of FireEye by way of a $1 billion acquisition earlier this year, is reporting that one of its clients was attacked by way of Heartbleed on a vulnerable SSL-VPN.

"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions," Mandiant security researchers wrote in a blog post. "Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users."

It's not terribly surprising that an SSL-VPN could be at risk, especially on April 8. While the open-source OpenSSL project had a patch available on April 7, it has taken time for individual vendors to properly package the patch. It also takes time for users to patch the actual technology that is in use.
What is surprising about the Mandiant discovery, however, is the fact that the attack the company's security researchers monitored also bypassed the multi-factor authentication in place at the victim's enterprise. Multi-factor authentication is supposed to help limit the risk of a single flaw like Heartbleed from exposing a user's password. With multi-factor authentication, sometimes known as two-factor authentication, or 2FA, a randomly generated second factor is used to gain access.
So what does this all mean to enterprise users?
It means that, in addition to making sure that Web servers and sites are secured and protected against Heartbleed, it is imperative that all organizations update and secure all their Web-facing technologies. Those technologies include VPNs as well as all the associated user passwords that are linked to them.
It's no small task, but the new research from Mandiant also illustrates that the risk is real.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.